[Zeek] known services

[Palumbo Mauro]

Hi all,

   I am looking at the known-services log and it seems to me that when multiple services are detected on the conn.log, not all of them are reported in the known-services.log. For example, http+ssl in the conn.log is logged in known-services.log as only http, while other multiple protocols (for exmaple NTLM,DCE_RPC or even as many as SMB,DCE_RPC,KRB,GSSAPI) are correctly logged. Is there any rationale for this behaviour or it is just a bug? I saw there is an issue (#419) open on github about it, but it's not clear to me why this happens only for some combinations of multiple protocols.

Besides, I noticed that the know-services script does not detect all DNS conns.  I opened an issue on this #455.

Last a minor thing. In the script known-services.zeek, in the event connection_state_remove, there is an if statement (below) which is filtering all non-estabilshed tcp conns, but also all udp conns.

    if ( c$resp$state != TCP_ESTABLISHED )
                return;

Despite this, everything works fine because all udp analyzers rise an event protocol_confirmation. Would it be better changing the if statement into something like:

    if ( c$resp$state != TCP_ESTABLISHED &&  c$resp$state !=  UDP_ACTIVE )
                return;

In this way, if an udp analyzer does not rise the event protocol_confirmation, the connection will still be logged into known-services.

Any thoughts?
Thanks.

Mauro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190708/9d8c692e/attachment.html